Commit f1e4762147 for asterisk.org
commit f1e47621472bb3d8ad71f32823f5ca986e008437
Author: George Joseph <gjoseph@sangoma.com>
Date: Wed Jun 10 17:07:07 2026 -0600
pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.
Resolves: #GHSA-g8q2-p36q-94f6
diff --git a/res/res_pjsip/pjsip_message_filter.c b/res/res_pjsip/pjsip_message_filter.c
index 7f1b7d736c..4b7a5be75e 100644
--- a/res/res_pjsip/pjsip_message_filter.c
+++ b/res/res_pjsip/pjsip_message_filter.c
@@ -277,11 +277,11 @@ static pj_status_t filter_on_tx_message(pjsip_tx_data *tdata)
/* If the chosen transport is not bound to any we can't use the source address as it won't get back to us */
if (!is_bound_any(tdata->tp_info.transport)) {
- pj_strassign(&prm.ret_addr, &tdata->tp_info.transport->local_name.host);
+ pj_strdup(tdata->pool, &prm.ret_addr, &tdata->tp_info.transport->local_name.host);
}
} else {
/* The transport chosen will deliver this but ensure it is updated with the right information */
- pj_strassign(&prm.ret_addr, &tdata->tp_info.transport->local_name.host);
+ pj_strdup(tdata->pool, &prm.ret_addr, &tdata->tp_info.transport->local_name.host);
}
/* If the message needs to be updated with new address do so */